From bdacd211f1f69175185e7bdd7cd202061a08a418 Mon Sep 17 00:00:00 2001
From: Jean-Noel Rouvignac <jean-noel.rouvignac@forgerock.com>
Date: Wed, 26 Jun 2013 12:11:56 +0000
Subject: [PATCH] Attempt at making AccessControlHandler free of references to org.opends.server.workflowelement.localbackend package (clearly not public API).
---
opendj-sdk/opends/src/server/org/opends/server/core/DefaultAccessControlHandler.java | 10 +---
opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java | 65 ++++++++++++++------------------
opendj-sdk/opends/src/server/org/opends/server/api/AccessControlHandler.java | 19 ++-------
opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciLDAPOperationContainer.java | 3 -
4 files changed, 38 insertions(+), 59 deletions(-)
diff --git a/opendj-sdk/opends/src/server/org/opends/server/api/AccessControlHandler.java b/opendj-sdk/opends/src/server/org/opends/server/api/AccessControlHandler.java
index b5f3b82..b7e5d72 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/api/AccessControlHandler.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/api/AccessControlHandler.java
@@ -27,19 +27,15 @@
*/
package org.opends.server.api;
-
-
-import org.opends.messages.Message;
-
import java.util.List;
+import org.opends.messages.Message;
import org.opends.server.admin.std.server.AccessControlHandlerCfg;
import org.opends.server.config.ConfigException;
import org.opends.server.core.*;
import org.opends.server.types.*;
import org.opends.server.workflowelement.localbackend.*;
-
/**
* This class defines the set of methods and structures that must be
* implemented by a Directory Server access control handler. All
@@ -74,7 +70,6 @@
* related to the server configuration.
*/
public abstract void initializeAccessControlHandler(T configuration)
-
throws ConfigException, InitializationException;
@@ -184,8 +179,7 @@
* be decoded. Care must be taken not to expose any
* potentially sensitive information in the exception.
*/
- public abstract boolean isAllowed(
- LocalBackendBindOperation bindOperation)
+ public abstract boolean isAllowed(BindOperation bindOperation)
throws DirectoryException;
@@ -247,8 +241,7 @@
* be decoded. Care must be taken not to expose any
* potentially sensitive information in the exception.
*/
- public abstract boolean isAllowed(
- ExtendedOperation extendedOperation)
+ public abstract boolean isAllowed(ExtendedOperation extendedOperation)
throws DirectoryException;
@@ -289,8 +282,7 @@
* be decoded. Care must be taken not to expose any
* potentially sensitive information in the exception.
*/
- public abstract boolean isAllowed(
- LocalBackendModifyDNOperation modifyDNOperation)
+ public abstract boolean isAllowed(ModifyDNOperation modifyDNOperation)
throws DirectoryException;
@@ -313,8 +305,7 @@
* be decoded. Care must be taken not to expose any
* potentially sensitive information in the exception.
*/
- public abstract boolean isAllowed(
- LocalBackendSearchOperation searchOperation)
+ public abstract boolean isAllowed(SearchOperation searchOperation)
throws DirectoryException;
diff --git a/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java b/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
index 997e1fb..3e72e08 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
@@ -28,8 +28,6 @@
*/
package org.opends.server.authorization.dseecompat;
-
-
import static org.opends.messages.AccessControlMessages.*;
import static org.opends.server.authorization.dseecompat.Aci.*;
import static org.opends.server.config.ConfigConstants.*;
@@ -39,11 +37,7 @@
import static org.opends.server.util.ServerConstants.*;
import static org.opends.server.util.StaticUtils.*;
-import java.util.LinkedHashSet;
-import java.util.LinkedList;
-import java.util.List;
-import java.util.Map;
-import java.util.SortedSet;
+import java.util.*;
import java.util.concurrent.locks.Lock;
import org.opends.messages.Message;
@@ -54,9 +48,7 @@
import org.opends.server.backends.jeb.EntryContainer;
import org.opends.server.config.ConfigException;
import org.opends.server.controls.GetEffectiveRightsRequestControl;
-import org.opends.server.core.DirectoryServer;
-import org.opends.server.core.ExtendedOperation;
-import org.opends.server.core.SearchOperation;
+import org.opends.server.core.*;
import org.opends.server.loggers.debug.DebugTracer;
import org.opends.server.protocols.internal.InternalClientConnection;
import org.opends.server.protocols.internal.InternalSearchOperation;
@@ -64,8 +56,6 @@
import org.opends.server.types.*;
import org.opends.server.workflowelement.localbackend.*;
-
-
/**
* The AciHandler class performs the main processing for the dseecompat
* package.
@@ -209,7 +199,7 @@
SearchResultEntry unfilteredEntry, SearchResultEntry filteredEntry)
{
AciLDAPOperationContainer operationContainer =
- new AciLDAPOperationContainer(operation, (ACI_READ), unfilteredEntry);
+ new AciLDAPOperationContainer(operation, ACI_READ, unfilteredEntry);
// Proxy access check has already been done for this entry in the
// maySend method, set the seen flag to true to bypass any proxy
@@ -361,7 +351,7 @@
* {@inheritDoc}
*/
@Override
- public boolean isAllowed(LocalBackendBindOperation bindOperation)
+ public boolean isAllowed(BindOperation bindOperation)
{
// Not planned to be implemented.
return true;
@@ -436,7 +426,7 @@
* @return True if access is allowed.
*/
@Override
- public boolean isAllowed(LocalBackendModifyDNOperation operation)
+ public boolean isAllowed(ModifyDNOperation operation)
{
boolean ret = true;
DN newSuperiorDN;
@@ -468,7 +458,7 @@
if (ret && (newSuperiorDN != null))
{
AciLDAPOperationContainer operationContainer =
- new AciLDAPOperationContainer(operation, (ACI_EXPORT),
+ new AciLDAPOperationContainer(operation, ACI_EXPORT,
operation.getOriginalEntry());
// The RDNs are not equal, skip the proxy check since it was
// already performed in the aciCheckRDNs call above.
@@ -504,7 +494,7 @@
* {@inheritDoc}
*/
@Override
- public boolean isAllowed(LocalBackendSearchOperation searchOperation)
+ public boolean isAllowed(SearchOperation searchOperation)
{
// Not planned to be implemented.
return true;
@@ -526,7 +516,7 @@
else
{
AciLDAPOperationContainer operationContainer =
- new AciLDAPOperationContainer(operation, (ACI_READ), entry);
+ new AciLDAPOperationContainer(operation, ACI_READ, entry);
return testFilter(operationContainer, filter);
}
}
@@ -580,7 +570,7 @@
e.addAttribute(builder.toAttribute(), null);
SearchResultEntry se = new SearchResultEntry(e);
AciLDAPOperationContainer operationContainer =
- new AciLDAPOperationContainer(operation, (ACI_READ), se);
+ new AciLDAPOperationContainer(operation, ACI_READ, se);
operationContainer.setCurrentAttributeType(refAttrType);
ret = accessAllowed(operationContainer);
}
@@ -601,7 +591,7 @@
}
AciLDAPOperationContainer operationContainer =
- new AciLDAPOperationContainer(operation, (ACI_SEARCH), entry);
+ new AciLDAPOperationContainer(operation, ACI_SEARCH, entry);
// Pre/post read controls are associated with other types of operation.
if (operation instanceof SearchOperation)
@@ -1016,31 +1006,35 @@
/**
- * Perform all needed RDN checks for the modifyDN operation. The old
- * RDN is not equal to the new RDN. The access checks are: - Verify
- * WRITE access to the original entry. - Verfiy WRITE_ADD access on
- * each RDN component of the new RDN. The WRITE_ADD access is used
- * because this access could be restricted by the targattrfilters
- * keyword. - If the deleteOLDRDN flag is set, verify WRITE_DELETE
- * access on the old RDN. The WRITE_DELETE access is used because this
- * access could be restricted by the targattrfilters keyword.
+ * Perform all needed RDN checks for the modifyDN operation. The old RDN is
+ * not equal to the new RDN. The access checks are:
+ * <ul>
+ * <li>Verify WRITE access to the original entry.</li>
+ * <li>Verify WRITE_ADD access on each RDN component of the new RDN. The
+ * WRITE_ADD access is used because this access could be restricted by the
+ * targattrfilters keyword.</li>
+ * <li>If the deleteOLDRDN flag is set, verify WRITE_DELETE access on the old
+ * RDN. The WRITE_DELETE access is used because this access could be
+ * restricted by the targattrfilters keyword.
+ * <li>
+ * </ul>
*
* @param operation
- * The ModifyDN operation class containing information to
- * check access on.
+ * The ModifyDN operation class containing information to check
+ * access on.
* @param oldRDN
* The old RDN component.
* @param newRDN
* The new RDN component.
* @return True if access is allowed.
*/
- private boolean aciCheckRDNs(LocalBackendModifyDNOperation operation,
+ private boolean aciCheckRDNs(ModifyDNOperation operation,
RDN oldRDN, RDN newRDN)
{
boolean ret;
AciLDAPOperationContainer operationContainer =
- new AciLDAPOperationContainer(operation, (ACI_WRITE), operation
+ new AciLDAPOperationContainer(operation, ACI_WRITE, operation
.getOriginalEntry());
ret = accessAllowed(operationContainer);
if (ret)
@@ -1069,8 +1063,8 @@
* If a problem occurs while trying to retrieve the new
* superior entry.
*/
- private boolean aciCheckSuperiorEntry(DN superiorDN,
- LocalBackendModifyDNOperation op) throws DirectoryException
+ private boolean aciCheckSuperiorEntry(DN superiorDN, ModifyDNOperation op)
+ throws DirectoryException
{
boolean ret = false;
final Lock entryLock = LockManager.lockRead(superiorDN);
@@ -1088,8 +1082,7 @@
if (superiorEntry != null)
{
AciLDAPOperationContainer operationContainer =
- new AciLDAPOperationContainer(op, (ACI_IMPORT),
- superiorEntry);
+ new AciLDAPOperationContainer(op, ACI_IMPORT, superiorEntry);
ret = accessAllowed(operationContainer);
}
}
diff --git a/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciLDAPOperationContainer.java b/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciLDAPOperationContainer.java
index 45b1454..c289c8c 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciLDAPOperationContainer.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciLDAPOperationContainer.java
@@ -25,7 +25,6 @@
* Copyright 2008-2009 Sun Microsystems, Inc.
* Portions Copyright 2011 ForgeRock AS
*/
-
package org.opends.server.authorization.dseecompat;
import org.opends.server.core.*;
@@ -145,7 +144,7 @@
* @param rights The rights of the modify DN operation.
* @param entry The entry to evaluated for this modify DN.
*/
- public AciLDAPOperationContainer(LocalBackendModifyDNOperation operation,
+ public AciLDAPOperationContainer(ModifyDNOperation operation,
int rights,
Entry entry) {
super(operation, rights, entry);
diff --git a/opendj-sdk/opends/src/server/org/opends/server/core/DefaultAccessControlHandler.java b/opendj-sdk/opends/src/server/org/opends/server/core/DefaultAccessControlHandler.java
index 40ebc16..2fda70d 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/core/DefaultAccessControlHandler.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/core/DefaultAccessControlHandler.java
@@ -27,16 +27,12 @@
*/
package org.opends.server.core;
-
-
import org.opends.server.admin.std.server.AccessControlHandlerCfg;
import org.opends.server.api.AccessControlHandler;
import org.opends.server.config.ConfigException;
import org.opends.server.types.*;
import org.opends.server.workflowelement.localbackend.*;
-
-
/**
* This class implements a default access control provider for the Directory
* Server.
@@ -98,7 +94,7 @@
* {@inheritDoc}
*/
@Override
- public boolean isAllowed(LocalBackendBindOperation bindOperation)
+ public boolean isAllowed(BindOperation bindOperation)
{
return true;
}
@@ -164,7 +160,7 @@
* {@inheritDoc}
*/
@Override
- public boolean isAllowed(LocalBackendModifyDNOperation modifyDNOperation)
+ public boolean isAllowed(ModifyDNOperation modifyDNOperation)
{
return true;
}
@@ -175,7 +171,7 @@
* {@inheritDoc}
*/
@Override
- public boolean isAllowed(LocalBackendSearchOperation searchOperation)
+ public boolean isAllowed(SearchOperation searchOperation)
{
return true;
}
--
Gitblit v1.10.0